| 1 |
|
|
| 2 |
|
https://bugzilla.redhat.com/show_bug.cgi?id=690915 |
| 3 |
|
|
| 4 |
|
http://svn.php.net/viewvc/?view=revision&revision=307917 |
| 5 |
|
|
| 6 |
|
(r287095 already included in 5.3.3) |
| 7 |
|
|
| 8 |
|
--- php-5.3.3/ext/zip/zip_stream.c.cve1471 |
| 9 |
|
+++ php-5.3.3/ext/zip/zip_stream.c |
| 10 |
|
@@ -30,11 +30,11 @@ struct php_zip_stream_data_t { |
| 11 |
|
/* {{{ php_zip_ops_read */ |
| 12 |
|
static size_t php_zip_ops_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) |
| 13 |
|
{ |
| 14 |
|
- int n = 0; |
| 15 |
|
+ ssize_t n = 0; |
| 16 |
|
STREAM_DATA_FROM_STREAM(); |
| 17 |
|
|
| 18 |
|
if (self->za && self->zf) { |
| 19 |
|
- n = (size_t)zip_fread(self->zf, buf, (int)count); |
| 20 |
|
+ n = zip_fread(self->zf, buf, count); |
| 21 |
|
if (n < 0) { |
| 22 |
|
int ze, se; |
| 23 |
|
zip_file_error_get(self->zf, &ze, &se); |
| 24 |
|
@@ -42,13 +42,15 @@ static size_t php_zip_ops_read(php_strea |
| 25 |
|
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zip stream error: %s", zip_file_strerror(self->zf)); |
| 26 |
|
return 0; |
| 27 |
|
} |
| 28 |
|
- if (n == 0 || n < count) { |
| 29 |
|
+ /* cast count to signed value to avoid possibly negative n |
| 30 |
|
+ * being cast to unsigned value */ |
| 31 |
|
+ if (n == 0 || n < (ssize_t)count) { |
| 32 |
|
stream->eof = 1; |
| 33 |
|
} else { |
| 34 |
|
self->cursor += n; |
| 35 |
|
} |
| 36 |
|
} |
| 37 |
|
- return (n < 1 ? 0 : n); |
| 38 |
|
+ return (n < 1 ? 0 : (size_t)n); |
| 39 |
|
} |
| 40 |
|
/* }}} */ |
| 41 |
|
|
Parent Directory
| 
Revision Log
| 
Revision Graph
| 
Patch
